LAMEHUG: APT28 Deploys Live LLM to Generate Attack Commands Mid-Operation

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
APT28 deployed LAMEHUG malware against Ukrainian government targets, making it the first publicly documented malware to integrate a live large language model for real-time attack command generation. Ukraine's CERT-UA disclosed LAMEHUG in July 2025 after detecting it inside security and defense agencies targeted through spear-phishing emails sent from a compromised Ukrainian ministry account.
LAMEHUG is a Python-based infostealer that connects to Alibaba Cloud's Qwen 2.5-Coder-32B-Instruct model via the Hugging Face inference API. Instead of containing hard-coded reconnaissance commands, the malware sends natural-language prompts to the LLM and executes whatever command sequences the model returns. That means the malware's attack logic adapts to each target environment without APT28 ever updating the binary.
The capability this enables was not previously achievable with static malware: LLM-powered malware generates reconnaissance commands tailored to the specific Windows environment, produced on demand from a model that understands system administration tools, Active Directory structures, and Windows forensic artifacts. Every execution produces a unique command sequence, eliminating the fixed behavioral fingerprints that detection systems rely on.
The CrowdStrike 2026 Global Threat Report documents an 89% year-over-year increase in AI-enabled adversary operations. LAMEHUG represents the operational frontier of that shift, and the architecture is reproducible by any actor with Python skills and access to a commercial LLM API.
How Does LAMEHUG Work?
LLM-powered malware like LAMEHUG operates in four distinct phases after initial delivery via spear-phishing attachment.
The malware arrives inside a ZIP archive attached to emails impersonating Ukrainian ministry officials. Attachment filenames observed by CERT-UA include the Ukrainian word for "attachment" as a .pif file, AI_generator_uncensored_Canvas_PRO_v0.9.exe, and Image.py, which exploits the Python file association on Windows to execute without a visible binary. Victims who open the attachment trigger the loader.
Once running, LAMEHUG establishes its LLM channel. The malware sends an HTTP POST request to the Hugging Face router API at https://router.huggingface.co/hyperbolic/v1/chat/completions, authenticated with an API key embedded in the binary. The LLM prompt instructs the model to generate Windows command sequences for system reconnaissance: systeminfo, wmic, tasklist, netstat, ipconfig, dsquery, and directory traversal covering Documents, Desktop, and Downloads. The model returns clean command strings, which LAMEHUG executes via cmd.exe or PowerShell.
Collected data is written to %PROGRAMDATA%\info\info.txt before exfiltration. The malware supports two exfiltration paths: SFTP upload to 144.126.202.227 on port 22, or HTTP POST to stayathomeclasses[.]com/slpw/up.php. A decoy document is displayed to the victim while collection runs in the background.
The LLM integration means no two LAMEHUG executions produce identical command sequences. Traditional signature-based detection systems that match specific command strings, PowerShell patterns, or Windows API call sequences fail against malware that generates new command logic on each run.
Spear-phishing from compromised ministry account
APT28 sends emails from a compromised Ukrainian government address attaching a ZIP containing .pif or .exe payloads disguised as ministry documents.
LLM API call to Hugging Face for command generation
LAMEHUG authenticates to the Hugging Face router API and prompts Qwen 2.5-Coder-32B-Instruct to produce environment-specific Windows reconnaissance commands dynamically.
Reconnaissance and document harvesting
LLM-generated commands enumerate system info, Active Directory structure, running processes, and network configuration; document files are staged to %PROGRAMDATA%\info\.
Exfiltration via SFTP or HTTP POST
Staged data is sent to 144.126.202.227 via SFTP or posted to stayathomeclasses[.]com/slpw/up.php, completing the collection cycle.
The AI Capability LAMEHUG Unlocks for APT28
The operational advantage LLM-powered malware delivers is environment-aware reconnaissance without per-target development effort.
Traditional APT tradecraft requires the attacker to build reconnaissance logic into the malware binary before deployment. If the target environment uses a non-standard AD configuration, unexpected software, or unusual directory structures, the static commands either fail silently or generate observable noise that triggers alerts. LAMEHUG removes that constraint entirely. The embedded LLM prompt can be adjusted to focus on specific objectives (credential files, VPN configuration, AD forest topology) without recompiling or redeploying the binary.
APT28, formally designated as Russia's GRU Unit 26165, has operated since at least 2004 and maintains one of the most technically sophisticated toolkits of any state actor. The group previously deployed implants including X-Agent, X-Tunnel, and Komplex. LAMEHUG represents a doctrinal shift: from maintaining a large library of purpose-built implants to deploying lightweight, AI-extensible stagers that adapt post-compromise.
The CrowdStrike 2026 Global Threat Report calls out FANCY BEAR's use of LLM-enabled malware under the LAMEHUG designation, noting that the integration pattern enables adversaries to combine native utilities with LLM-generated logic to reconstruct attack chains that leave no binary artifacts beyond the initial loader. This is a repeatable model other state actors will adopt.
“LAMEHUG marks a shift from AI-as-tooling to AI-in-the-loop malware. The reconnaissance logic is generated at runtime, not written in advance. Defenders who rely on command-sequence signatures are looking at the wrong layer.”
Cato CTRL Threat Research, July 2025
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Confirmed Real-World Examples of AI-Powered Malware
LAMEHUG is not an isolated case. The CrowdStrike 2026 Global Threat Report documents parallel AI weaponization across three additional state-linked actors.
Russia's FANCY BEAR deployed LAMEHUG against Ukrainian defense and government targets, confirmed by CERT-UA's July 2025 advisory. The campaign used compromised Ukrainian ministry email accounts for delivery, granting initial emails high trust from recipients expecting intragovernmental correspondence.
North Korea's FAMOUS CHOLLIMA scaled its IT worker insider threat program using AI-generated personas. The operation places DPRK operatives with access to target networks through AI-synthesized identities applied to remote technical roles. CrowdStrike documents the persona generation as systematic and industrialized.
Russia's PUNK SPIDER used AI-generated scripts to accelerate credential dumping and forensic evidence removal post-compromise. The scripts automate tasks that previously required operator presence: identifying credential caches, determining LSASS protection status, and invoking appropriate bypass techniques based on the live environment.
Google's Threat Intelligence Group separately identified QUIETVAULT, a credential stealer that uses an integrated LLM as an on-site data triager. QUIETVAULT targets GitHub and NPM tokens, then uses LLM prompts to search for additional secrets across the infected system before exfiltration. These cases, alongside the AI-built ransomware toolkit documented in our previous coverage, confirm that AI-in-the-loop malware has reached multiple operational threat groups simultaneously.
Across all four cases, the pattern is consistent: AI handles the decision-making layer that previously required a skilled human operator, compressing the time between initial access and actionable intelligence.
LAMEHUG IOCs and Detection Signals
Block these LAMEHUG indicators at perimeter and endpoint controls immediately.
CERT-UA and Cato CTRL confirmed four LAMEHUG payload variants with distinct SHA256 hashes (full hashes in the IOC table below). Network indicators include the C2 exfiltration server at 144.126.202.227 via SFTP on TCP 22 and the HTTP exfiltration endpoint at stayathomeclasses[.]com/slpw/up.php. The malware also generates outbound HTTPS traffic to router.huggingface.co on TCP 443 for LLM command generation; blocking this endpoint on non-developer endpoints prevents the AI command generation phase from completing.
Host-based indicators: creation of %PROGRAMDATA%\info\ directory and info.txt file, execution of .pif file extensions from user download directories, and dsquery calls in process trees originating from non-administrative accounts.
Behavioral indicators that apply even against novel LLM-powered malware variants: any Python process making HTTPS calls to inference API endpoints (Hugging Face, OpenAI, Anthropic, Alibaba Cloud) and then immediately executing cmd.exe or PowerShell subprocess chains is anomalous and warrants investigation. This behavioral pattern remains consistent regardless of which LLM provider the variant targets.
Organizations that have previously reviewed Windows domain controller exploitation techniques should note that LAMEHUG's dsquery-based AD enumeration (MITRE T1018) targets the same DC infrastructure and uses identical native tooling patterns.
Subscribe to unlock Indicators of Compromise
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Who Is at Risk From AI-Powered Malware
LAMEHUG's confirmed targeting covers Ukrainian government and defense entities, consistent with APT28's long-term operational focus on NATO-aligned governments and their intelligence partners. CERT-UA's July 2025 advisory noted that security and defense sector entities received the initial spear-phishing wave, delivered via a compromised ministry email account to maximize recipient trust.
The risk extends beyond direct APT28 targets for two reasons. First, the LAMEHUG architecture is publicly documented and reproducible. Any threat actor with Python development capability and access to a cloud LLM API can build a comparable infostealer. The Hugging Face API is free-tier accessible; Alibaba Cloud's Qwen models are openly available. The barrier to deploying LLM-augmented malware in 2026 is a development budget measured in hundreds of dollars, not specialized state resources.
Second, the AI-generated spear-phishing that delivers LAMEHUG is not APT28-exclusive. The Silver Fox campaign in May 2026 used LLM-generated tax-themed phishing emails impersonating government agencies to deploy ABCDoor and ValleyRAT against industrial, retail, and transportation sectors globally. CrowdStrike documents adversary operations targeting more than 90 organizations through GenAI prompt injection to steal credentials and cryptocurrency, without attribution to any single actor.
Organizations in critical infrastructure, financial services, healthcare, and government face the highest exposure based on historical APT28 and eCrime targeting. Any environment running Python on Windows workstations with outbound access to cloud LLM APIs presents a potential LAMEHUG staging surface.
How to Defend Against LLM-Powered Malware
Detection of LLM-powered malware requires behavioral controls at both network and endpoint layers. Signature matching against command strings fails against dynamically generated output, so defenders must move to process-hierarchy and network-destination detection.
Deploy CASB policy restricting outbound connections to inference API endpoints from non-developer endpoints and all server roles. Monitor process trees for Python-to-shell child process patterns. A Python process spawning cmd.exe or PowerShell that then executes systeminfo, wmic, dsquery, or similar tools in rapid sequence is anomalous regardless of the specific commands generated. EDR behavioral rules targeting this parent-child pattern catch LAMEHUG variants even when the specific commands differ.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Why LLM-Powered Malware Matters for Your Organization
LAMEHUG changes the detection calculus for intrusions in a way that affects every organization running Windows endpoints, not just those targeted by APT28 directly.
The architecture pattern LAMEHUG introduces is reproducible by any actor with basic Python skills and a commercial LLM API account. APT28's deployment is the operational proof-of-concept. Imitators follow documented techniques with a lag of months, not years. The eCrime actors documented in the same CrowdStrike 2026 Global Threat Report were already operating variants.
Detection systems that rely on command-sequence matching, PowerShell string detection, or WMIC baseline comparisons are structurally misaligned with AI-generated command execution. LAMEHUG's LLM generates commands that are valid, contextually appropriate, and unique per execution, exactly what a legitimate systems administrator would run in that environment. The signal advantage defenders once held through fixed attacker playbooks is diminishing.
The average eCrime breakout time fell to 29 minutes in 2025, down from 62 minutes in 2024. AI-augmented reconnaissance accelerates that timeline further by eliminating the trial-and-error phase of manual discovery. An attacker who lands LAMEHUG on a workstation with AD access can complete environmental reconnaissance in under five minutes with no operator interaction.
The defensive response requires moving upstream: block LLM API access from non-developer hosts, enforce strict process tree controls, and treat any Python-to-shell execution chain as suspicious by behavioral pattern rather than command signature. Full breakdown and live IOC feed at decryptiondigest.com.
The bottom line
LAMEHUG malware proves LLM integration has crossed from attacker experimentation to operational deployment by a top-tier state actor. APT28 used a live AI model to generate reconnaissance commands against Ukrainian government targets, producing unique command sequences that defeat signature-based detection on every run. Three other confirmed actors applied the same AI-in-the-loop pattern in parallel 2025 campaigns. Block inference API endpoints on all non-developer hosts today, build EDR behavioral rules targeting Python-to-shell process chains, and rotate credentials on any system that may have run Python with outbound API access in the past 90 days.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
What is LAMEHUG malware?
LAMEHUG is a Python-based infostealer attributed to APT28 (Fancy Bear, GRU Unit 26165) that integrates a live large language model to generate Windows reconnaissance and data theft commands at runtime. Discovered by Ukraine's CERT-UA in July 2025, it is the first publicly documented malware to operationally use an LLM for command generation rather than containing hard-coded attack logic.
How does LAMEHUG use an LLM to generate attack commands?
LAMEHUG sends natural-language prompts to Alibaba Cloud's Qwen 2.5-Coder-32B-Instruct model via the Hugging Face inference API at router.huggingface.co. The model returns Windows command sequences using native utilities such as systeminfo, wmic, dsquery, and tasklist. The malware executes returned commands via cmd.exe or PowerShell, stages output to %PROGRAMDATA%\info\, and exfiltrates via SFTP or HTTP POST.
What is the difference between LAMEHUG and traditional malware?
Traditional malware contains fixed command sequences written before deployment. Every execution produces the same behavioral fingerprint that detection systems can match against known-bad libraries. LAMEHUG generates new command sequences at runtime via LLM, meaning each execution is unique. Signature-based controls matching specific command strings cannot reliably detect LAMEHUG variants or the LLM-powered malware pattern generally.
Which sectors does APT28 target with LAMEHUG?
CERT-UA's July 2025 advisory confirmed LAMEHUG targeted Ukrainian security and defense sector entities, consistent with APT28's historical focus on government, military, and NATO-aligned organizations. The delivery method exploited a compromised Ukrainian ministry email account, targeting recipients who expected legitimate intragovernmental correspondence. The underlying architecture is now being replicated by eCrime actors across broader sector targets.
How do I detect LAMEHUG on my network?
Key detection signals include: outbound HTTPS from Python processes to router.huggingface.co or api.hyperbolic.xyz; creation of the directory %PROGRAMDATA%\info\ or info.txt inside it; .pif file execution from user download directories; and Python processes spawning cmd.exe or PowerShell followed immediately by systeminfo, wmic, or dsquery. Block IP 144.126.202.227 and domain stayathomeclasses.com at perimeter.
Has APT28 been sanctioned or indicted?
Yes. The US Department of Justice indicted seven GRU officers associated with APT28 in October 2018 for computer hacking, wire fraud, and identity theft related to the 2016 election and attacks on anti-doping agencies. The EU sanctioned four GRU officers in 2020 for the 2017 Bundestag attack. The UK, Australia, Canada, and New Zealand have attributed multiple APT28 campaigns through coordinated government statements.
Is there a patch for LAMEHUG?
LAMEHUG is malware, not a software vulnerability, so no vendor patch exists. Defense requires operational controls: block outbound access to LLM inference API endpoints from non-developer endpoints, enforce WDAC or AppLocker rules blocking .pif execution, add the four confirmed SHA256 hashes to EDR block lists, configure file integrity monitoring on %PROGRAMDATA%\info\, and block 144.126.202.227 and stayathomeclasses.com at perimeter.
Can existing EDR tools detect AI-powered malware like LAMEHUG?
Existing EDR tools can detect LAMEHUG through behavioral rules targeting the Python-to-shell process chain and LLM API network connections, but require explicit configuration since default rule sets do not address LLM-driven command generation. Signature-based AV matching command strings is unreliable against AI-generated command sequences. Behavioral detection targeting process hierarchy and outbound network destination is the effective detection layer.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
